Zftpserver Default Credentials
Geoffrey Beird
Authby, an Intermediate-rated machine, is a Windows box with an open FTP share used to enumerate users, upload a reverse shell using cURL with various parameters, and escalate privileges with a kernel exploit of your choice.
The initial nmap scan shows the machine is relatively locked down, with FTP and some other HTTP ports open. As an aside, I've really been digging how realistic the Offsec Proving Grounds machines are, so starting with full port scans and disabling ping tests has become pretty standard. Here's the output nmap:
Starting with FTP, we've gotten a fair amount of files we can access, but none of them seem to be that juicy. The only information we can glean from this are some .uac files indicating other FTP users on the machine, offsec, admin, and the account we're using, anonymous. A quick guess at some default credentials in another FTP session reveals the admin user's password is admin. Very nice. In this new session, we find two juicy files: .htaccess and .htpasswd.
I did some scouring and found a Base64-encoded PHP shell that grabs a remote file and executes it. Let's make some basic tweaks to the IP, Port, and the directory path to match what we found from .htaccess. We can then start a python server running locally on port 80 and another reverse shell on port 242 in hopes to catch the reverse shell.
Welp, that's odd, but some quick googling shows that it can be an issue with compatibility with FTP shares served on the web. Thankfully, cURL has a native command to deal with that, so let's add it and try again:
Now that we're on the machine, we can run some enumeration to see what we can notice. On first check, we see it's a standard 2008 Server with no patches/hotfixes applied. SWEEEEET. There are a TON of exploits you could use at this point, but let's try CVE-2018-8120, a Win32k Elevation of Privilege Vulnerability, that has a public exploit code in a MASSIVE repository for CVE's. There's plenty of avenues you could take to exploit this machine given that it's a flat 2008 Server, so pick your poison.
Hey, I'm RJ. I'm a cybersecurity professional who wanted a place to jot down some ramblings about all things cyber: penetration testing write-ups, certifications, and some tidbits I've found helpful when trying to turn 0's into 1's.
V10.2.122.0 SyncBackPro, SyncBackSE, SyncBackFree (23rd May 2023)
Updated: Possible crash on program start on pre-Windows 10, e.g. Windows Server 2016
Updated: Profiles that run On Change do not use too many resources when they are using invalid directories
Updated: Manifest file corrected so interface scales correctly on Windows Server 2016
Updated: Connection timeout for email (send and retrieve) changed to 15 seconds from 60 seconds
Fixed: Possible loop when profile run On Change and set to delete all empty directories and there are non-empty read-only directories
Fixed: Default settings when using Microsoft SMTP email servers
Fixed (Pro): Unable to change SBMS connection settings if not an SBMS administrator
V10.2.112.0 SyncBackPro, SyncBackSE, SyncBackFree (18th April 2023)
New: %ACTUALSOURCE% and %ACTUALDEST% variables
New: Can scroll Advanced tab of Restore Wizard using mouse wheel
Fixed: Main window not maximizing on start
Fixed: Stack overflow (and crash) when scanning (due to getting symbolic link last access date and time)
Fixed: SyncBack would sometimes raise an error that a SyncBack Touch drive did not exist
Fixed (Pro): Change in SharePoint to try redirecting downloads with more than one redirections
Fixed (Pro): Do not invalidate access token if error is 403 Forbidden as it may end in a loop and cause the server to invalidate the refresh token (OneDrive)
Fixed: Advanced tab of Restore Wizard sometimes did not show scroll bars unless resized
Fixed: Windows shortcut configured to start SyncBack minimized or maximized was not starting SyncBack correctly
Fixed: If Windows shortcut starts SyncBack minimized then no splash windows displayed
V10.2.99.0 SyncBackPro, SyncBackSE, SyncBackFree (8th March 2023)
New: Will use SYNCBACKTEMP environment variable as directory for all temporary files if it exists
Updated: Numerous updates to creating, modifying and deleting schedules and help file updated
Fixed (Pro): When using shared settings the refresh token may not be updated while multiple profiles using same cloud are being run
Fixed (Pro): Unable to select Ransomware file when using Google Drive
Fixed (Pro): Was trying to delete legacy folders from Azure
Fixed: Rollback pop-up menu in Restore Wizard was not initialized unless History tab was displayed
Fixed: Fixes for DPI and small font size
V10.2.88.0 SyncBackPro, SyncBackSE, SyncBackFree (4th January 2023)
New: Can press F5 to refresh Differences window
New: Double-click can now run or queue a profile unattended
Updated (Pro/SE): Quick settings option in Log settings for a profile
Updated (Pro/SE): Can use the "Do not store password" option when creating scheduled tasks on Windows 10
Updated (Pro/SE): Mouse cursor changes when hovering over versions icon in Differences window
Updated (Pro/SE): Non-elevated version of SyncBack also installed
Updated: Option to forcibly disconnect network connections
Updated (Pro): hubiC cloud service has been discontinued
Updated: Italian translations and tweaks to interface for Italian
Updated: Can select directory when using volume GUID and not drive letter
Updated (Pro/SE): Ransomware protection filename for profile is changed to use drive serial instead of letter
Fixed (Pro): You cannot use archival fast backup when using cloud
Fixed (Pro/SE): FTP concurrent downloads
Fixed: The uninstaller displayed access violation error if uninstalling and never ran SyncBack
Fixed: Hash values for files over 4GB may be incorrect
Fixed (Pro/SE): Webhook and Pushover failure notification messages will now be sent for critical failures
Fixed (Pro): For pCloud, the option to delete all files and folders did not delete sub-folders
Fixed: Parallel compression may not work when run from schedule
Fixed: When compressing to a single file the NTFS security is taken from the temp directory
V10.2.49.0 SyncBackPro, SyncBackSE, SyncBackFree (16th August 2022)
Fixed: Handling of Alt key and shortcuts in main and Differences window
Fixed: Decryption profile settings page did not allow revert or copy from another profile
Fixed: The filter hit count in the log for folders may be twice the expected result
Fixed: Will not use default new profile location, e.g. cloud, when creating new profile and cloud not used in wizard, for example
Fixed: If Errors tab is displayed, and profile prompts with error message at end, then could not click OK
Updated (Pro): Added support for new AWS S3 Hong Kong region
Updated (Pro): Improved support for IBM Object Storage (supports Tags)
Updated (Pro): Changes to properly support Contabo S3 Compatible Object storage
V10.2.39.0 SyncBackPro, SyncBackSE, SyncBackFree (29th June 2022)
Updated (Pro): Authentication method changed for Google Drive and Google Photos (new method required by Google)
Updated (Pro): RunRunAfterBefore script call can now abort the profile
Updated: More likely to be able to suggest a UNC path for a drive letter
Updated: Partial folder selection icon in File and Folder selection window tweaked to make more obvious
Updated (Pro/SE): When encrypting filenames in Zip files it is now clearer that you cannot use no compression and must use Deflate or BZip2
Fixed: Creating new shared settings may not save shared settings
Fixed: Double-clicking on a folder in the file and folder selection window was not expanding or contracting
Fixed (Pro): Compressed files were re-uploaded after a Force Rescan with Google Drive and Dropbox
Fixed: When using DevArt and UTF8 then it may retrieve filename not using UTF8 if MLST is used
Fixed: When using multi-zip a change in a folders date and time were not copied across
Fixed (Pro): Renew BackBlaze AUTH token before it expires
Fixed: Cleaned entries no longer reappear in file and folder selection window when refreshing
Fixed: In Group profile config window profiles that were in the group were not shown when filter changed
Fixed: On When->Periodically can now set an only run between times that straddles midnight
Fixed (Pro): Sharefile: correctly encode filenames containing special characters during uploads
V10.2.28.0 SyncBackPro, SyncBackSE, SyncBackFree (4th May 2022)
Updated: Full main window refresh when SyncBack becomes active window
Updated: Compiled using latest version of Delphi (11.1)
Updated: Auto-close will not try to close child windows (will only do that now if "Forcibly close" is enabled)
Fixed: Option to not copy NTFS offline files was being ignored
Fixed: Changes to Differences window to resolve small DPI issues
Fixed (Pro/SE): Under extremely high memory use there may be issues with 64-bit version
Fixed (Pro): May fail to get file details from cloud (if not uploaded using SyncBackPro)
Fixed (Pro): With cloud storage system that have virtual folders then may not see folders that contain no files
Fixed: With threaded FTP uploads, and no safe copy, files in profile base folder may upload to FTP root folder
Fixed: Do not treat reply 451 as an error when using Chilkat FTP
Fixed: Crash when Windows set to forcibly use Bottom-Up ASLR
V10.2.14.0 SyncBackPro, SyncBackSE, SyncBackFree (9th March 2022)
New: Option in profile list header pop-up menu in main window to factory reset column positions, widths and visibility
New: Option in profile list header pop-up menu in main window to auto-size column widths
New (Pro): Pascal script to only run a profile if a specific file exists
Updated: Hint shown in Settings page of Global Settings for number of profiles found in each folder
Updated: Numerous tweaks and minor fixes in user interface
Updated: Can double-click on items in Compression->Compressed to change them
Fixed (Pro): Exception in New Profile Wizard and Profile Configuration if using Backblaze B2 and exceeded caps
Fixed: Email was not sent if profile aborted and using compressed log
Fixed: Fix issues with maximized windows when non-standard DPI
Fixed (Pro): Filenames with special characters would be re-uploaded to PCloud on every run if versioning enabled